Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under
Security

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

By ERIC DASH
The New York Times.

More in Tux Machines

Leftovers: OSS

  • Diving into Drupal: Princeton’s Multi-site Migration Success with Open-source
    Princeton University’s web team had a complex and overwhelming digital ecosystem comprised of many different websites, created from pre-built templates and hosted exclusively on internal servers. Fast forward six years: Princeton continues to manage a their multisite and flagship endeavors on the open-source Drupal platform, and have seen some great results since their migration back in 2011. However, this success did not come overnight. Organizational buy-in, multi-site migration and authentication were a few of the many challenges Princeton ran into when making the decision to move to the cloud.
  • GitHub Invites Developers to Contribute to the Open Source Guides
    GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories.
  • Top open source projects
    TechRadar recently posted an article about "The best open source software 2017" where they list a few of their favorite open source software projects. It's really hard for an open source software project to become popular if it has poor usability—so I thought I'd add a few quick comments of my own about each.
  • Dropbox releases open-source Slack bot
    Dropbox is looking to tackle unauthorized access and other security incidents in the workplace with a chatbot. Called Securitybot, it that can automatically grab alerts from security monitoring tools and verify incidents with other employers. The company says that through the use of the chatbot, which is open source, it will no longer be necessary to manually reach out to employees to verify access, every time someone enters a sensitive part of the system. The bot is built primarily for Slack, but it is designed to be transferable to other platforms as well.
  • Dropbox’s tool shows how chatbots could be future of cybersecurity
    Disillusion with chatbots has set in across the tech industry and yet Dropbox’s deep thinkers believe they have spotted the technology’s hidden talent: cybersecurity.

Desktop GNU/Linux

  • Entroware have unleashed the 'Aether' laptop for Linux enthusiasts featuring Intel's 7th generation CPUs
  • New Entroware Aether Laptop Pairs Intel Kaby Lake with Ubuntu
    The new Entroware Aether is the latest Linux powered laptop from British company Entroware, and is powered by the latest Intel Kaby Lake processors.
  • Freedom From Microsoft v1.01
    But we can be Free from Microsoft! As we saw above, there is a powerful – and now popular movement afoot to make alternative software available. The Free Software Foundation, and the GNU Project, both founded by Richard Stallman, provide Free software to users with licenses that guarantee users rights: the rights to view, modify, and distribute the software source code. With GNU-licensed software, such as Linux, the user is in complete control over the software they employ. And as people contribute to modify Free Software source code, and are required to share those modifications again, the aggregate creative acts give rise to the availability of many more, much more useful results. Value is created beyond what anyone thought possible, and our freedom multiplies.
  • Review of the week 2017/08
    This week we had to cancel a couple snapshots, as a regression in grub was detected, that caused issues on chain-loading bootloaders. But thanks to our genius maintainers, the issue could be found, fixed and integrated into Tumbleweed (and this despite being busy with hackweek! A great THANK YOU!). Despite those canceled snapshots, this review will still span 4 revisions: 0216, 0218, 0219 and 0224. And believe me, there have been quite some things coming your way.

Security Leftovers

  • [Older] The Secure Linux OS - Tails
    Some people worry a lot about security issues. Anyone can worry about their personal information, such as credit card numbers, on the Internet. They can also be concerned with someone monitoring their activity on the Internet, such as the websites they visit. To help ease these frustrations about the Internet anyone can use the Internet without having to “look over their shoulder”.
  • Password management made easy as news of CloudFlare leak surfaces
    In the last 24 hours, news broke that a serious Cloudflare bug has been causing sensitive data leaks since September, exposing 5.5 million users across thousands of websites. In addition to login data cached by Google and other search engines, it is possible that some iOS applications have been affected as well. With the scale of this leak, the best course of action is to update every password for every site you have an account for. If there was ever a good time to modernize your password practices, this is it. As consumers and denizens of the Internet, we have a responsibility to be aware of the risks we face and make an attempt to mitigate that risk by taking best-effort precautions. Poor password and authentication hygiene leaves a user open to risks such as credit card fraud and identity theft, just like forgetting to brush your teeth regularly can lead to cavities and gum disease. This leaves us with the question of what good password and authentication hygiene looks like. If we stick with the (admittedly poorly chosen) dentistry analogy, then there are five easily identifiable aspects of good hygiene.
  • Security: You might want to change passwords on sites that use Cloudflare
  • Smoothwall Express
    The award-winning Smoothwall Express open-source firewall—designed specifically to be installed and administered by non-experts—continues its forward development march with a new 3.1 release.

Leftovers: Ubuntu and Derivatives

  • 'Big Bang Theory's' Stuart wears Ubuntu T-shirt
    Am I the only person to notice that comic book shop-owning Stuart (Kevin Sussman) on the "The Big Bang Theory" is wearing an Ubuntu T-shirt on the episode airing Thursday, Feb. 23, 2017? (It's Season 10, Episode 17, if that information helps you.) The T-shirt appearance isn't as overt as Sheldon's mention of the Ubuntu Linux operating system way back in Season 3 (Episode 22, according to one YouTube video title), but it's an unusual return for Ubuntu to the world of "Big Bang."
  • Unity Explained: A Look at Ubuntu’s Default Desktop Environment
    Ubuntu is the most well-known version of Linux around. It’s how millions of people have discovered Linux for the first time, and continues to draw new users into the world of open source operating systems. So the interface Ubuntu uses is one many people are going to see. In this area, Ubuntu is unique. Even as a new user, rarely will you confuse the default Ubuntu desktop for something else. That’s because Ubuntu has its own interface that you can — but probably won’t — find anywhere else. It’s called Unity.
  • A Look at Ubuntu MATE 16.04.2 LTS for Raspberry Pi
    Installing Ubuntu MATE onto my Raspberry Pi 3 was straight forward. You can easily use Etcher to write the image to a microSD card, the partition is automatically resized to fill your microSD card when the pi is powered up for the first time, and then you are sent through a typical guided installer. Installation takes several minutes and finally the system reboots and you arrive at the desktop. A Welcome app provides some good information on Ubuntu MATE, including a section specific for the Raspberry Pi. The Welcome app explains that the while the system is based on Ubuntu MATE and uses Ubuntu armhf base, it is in fact using the same kernel as Raspian. It also turns out that a whole set of Raspian software has been ported over such as raspi-config, rpi.gpio, sonic-pi, python-sent-hat, omxplayer, etc. I got in a very simple couple of tests that showed that GPIO control worked.
  • Zorin OS 12 Business Has Arrived [Ed: Zorin 12.1 has also just been released]
    This new release of Zorin OS Business takes advantage of the new features and enhancements in Zorin OS 12, our biggest release ever. These include an all new desktop environment, a new way to install software, entirely new desktop apps and much more. You can find more information about what’s new in Zorin OS 12 here.